virus trying to write to removable media after insertion

Discussion in 'Malware Help (A Specialist Will Reply)' started by Deamonn, Jan 2, 2009.

  1. Deamonn

    Deamonn Private E-2

    Hi,
    Starting from 27th December I started to encounter the following problem.
    When I inserted SecureDigital (SD) flash disk into card reader the following error occured: "Windows - No Disk. Exception Processing Message c0000013 Parameters 75b6f7c 75b6f7c 75b6f7c". After pressing Cancel button in dialog box the following message appears:
    "notepads.exe - Write Protect Error. The disk cannot be written to because it is write protected. Please remove the write protection from the volume in drive G:". Both messages reappear again and again, approximately with 1-2 seconds interval.

    Strange processes were running:
    notepads.exe
    intranetexplorer.exe

    Scanning with VirusScan Enterprise 8.5.0.i (database and engine updated) gave following detections:
    * W32/Sdbot.worm!ftp (Virus)
    * Generic!atr (Trojan)
    * Generic.dx
    * Generic StartPage (Trojan)
    These detections were not simultaneous, some of them occured during on-access scan, some - during on-demand scan (logs attached in VirusScan_logs.zip).

    VirusScan reports successful deletion of infected files, but after reboot another files are infected. It seems that "Generic StartPage" is reappearing.

    Then I read and executed "READ & RUN ME FIRST. Malware Removal Guide" with no success (all logs are attached in logs.ZIP)

    And it seems that after installation of all tools required by "Malware Removal Guide" additional problem occured:
    All the time HDD is busy and CPU usage is near 60%
    The following processes take most of CPU usage:
    csrss.exe 20%
    lsass.exe 1%
    mcshield.exe 1%
    msservice.exe 3% (there may be 2 processes named msservice.exe)
    services.exe 2%
    System 2%
    It seems that constant HDD activity occures only when laptop is connected to the Internet. If I restart laptop with WiFi adapter turned off then after login above mentioned processes are inactive. But as soon as I turn WiFi on, these processes become active, HDD is busy and CPU is working at 60%

    I tried Kaspersky Online Scanner and it gave the following detections (log attached):
    * Trojan.Win32.StartPage.def
    * Rootkit.Win32.Agent.eii

    Please help!
     

    Attached Files:

    Last edited by a moderator: Jan 3, 2009
    Deamonn, Jan 2, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have a huge amount of items in your C:\Temp folder.....a great place for malware to hide.

    Please disable all anti-virus and anti-spyware programs while we do the following ( be sure to re-enable when we are finished):

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Drivers::
netstats

File::
c:\windows\system\msservice.exe
C:\pushs.exe
c:\windows\notepads.exe
c:\documents and settings\dmitri_pahhomov\push.exe
C:\push.exe
c:\windows\x
C:\Program Files\eMule\Incoming\ultrasoft money keygen.zip    
C:\Program Files\eMule\Incoming\ultrasoft money multilanguage.zip
c:\windows\x

Folder::
C:\Program Files\eMule\Incoming\ultrasoft money keygen.zip    
C:\Program Files\eMule\Incoming\ultrasoft money multilanguage.zip
c:\windows\x
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Jan 5, 2009
    #2
  3. Deamonn

    Deamonn Private E-2

    Thank you for reply.

    Please find attached requested logs.

    Also I found weird files in the folder C:\Program Files\eMule\Incoming\ (like "Dark DDoS Tool.exe", "Keylogger.exe" and many more) which I never downloaded myself... Should I delete them and the content of C:\TEMP right now or you will instruct to delete them later?

    At the moment, something (trojan?) is trying to write to removable media as soon as it is inserted and Task Manager shows that explorer.exe takes 40% of CPU bandwidth, however HDD is not active.
     

    Attached Files:

    Last edited: Jan 6, 2009
    Deamonn, Jan 6, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I will look at your logs as soon as I can, but in the mean time I would suggest you remove the entire emule folder/ program!

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    I will let you know what else to do soon.
     
    TimW, Jan 6, 2009
    #4
  5. Deamonn

    Deamonn Private E-2

    It seems that the problem solved after execution of Trend Micro Fixtool Worm_downad, Malwarebytes, McAfee, Spybot S&D, SuperAntiSpyware, Kaspersky Online Scanner and Ad-aware. All these tools were executed several times in different order. At the moment everything is ok, thanks to TimW.
     
    Deamonn, Jan 21, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know...let me know if you have any remaining issues.
     
    TimW, Jan 21, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds